Microsoft-Windows-Winsock-NameResolution

16 events across 1 channel

Event	Title	Channel	Sample
1000	GetAddrInfoW is called for queryName NodeName, serviceName ServiceName, flags …	Operational	Y
1001	GetAddrInfoW is completed for queryName NodeName with status Status and result …	Operational	Y
1002	GetAddrInfoExW is called for queryName NodeName, serviceName ServiceName, …	Operational	Y
1003	GetAddrInfoExW asynchronous query is pending for queryName: NodeName with cancel …	Operational	Y
1004	GetAddrInfoExW is completed for queryName NodeName with status Status and result …	Operational	Y
1005	GetAddrInfoExCancel is called for query CancelHandle and seq Location.	Operational	N
1006	NSPLookupServiceBegin is called for provider ProviderGUID, queryName QueryName, …	Operational	Y
1007	NSPLookupServiceBegin is completed for provider ProviderGUID, queryName …	Operational	Y
1008	NSPLookupServiceNext is called for provider ProviderGUID, control Flags …	Operational	Y
1009	NSPLookupServiceNext is completed for provider ProviderGUID, control Flags …	Operational	Y
1010	NSPLookupServiceEnd is called for provider ProviderGUID and lookup handle …	Operational	Y
1011	NSPLookupServiceEnd completed for provider ProviderGUID and lookup handle …	Operational	Y
1012	GetAddrInfoExW info.	Operational	Y
1013	Wsa Startup.	Operational	Y
1014	Wsa Cleanup.	Operational	Y
1015	NSJOB info.	Operational	N

Event ID 1000: GetAddrInfoW is called for queryName NodeName, serviceName ServiceName, flags Flags, family Family, socketType SocketType, protocol Protocol and seq Location.

Provider: Microsoft-Windows-Winsock-NameResolution
Channel: Operational
Level: Informational
Task: WinsockGai

Description

GetAddrInfoW is called for queryName NodeName, serviceName ServiceName, flags Flags, family Family, socketType SocketType, protocol Protocol and seq Location.

Message #

GetAddrInfoW is called for queryName %1, serviceName %2, flags %4, family %5, socketType %6, protocol %7 and seq %3

Fields #

Name	Description
`NodeName` UnicodeString
`ServiceName` UnicodeString
`Location` UInt32
`Flags` UInt32
`Family` UInt32
`SocketType` UInt32
`Protocol` UInt32	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-NameResolution",
    "guid": "55404E71-4DB9-4DEB-A5F5-8F86E46DDE56",
    "event_source_name": "",
    "event_id": 1000,
    "version": 0,
    "level": 4,
    "task": 1000,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:41.692985+00:00",
    "event_record_id": 17,
    "correlation": {
      "ActivityID": "4EC9235F-7114-46CF-A033-E58E6B97986C"
    },
    "execution": {
      "process_id": 832,
      "thread_id": 3636
    },
    "channel": "Microsoft-Windows-Winsock-NameResolution/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "NodeName": "ludus",
    "ServiceName": "NULL",
    "Location": 118,
    "Flags": 5,
    "Family": 0,
    "SocketType": 0,
    "Protocol": 0
  },
  "message": ""
}

Event ID 1001: GetAddrInfoW is completed for queryName NodeName with status Status and result Result.

Provider: Microsoft-Windows-Winsock-NameResolution
Channel: Operational
Level: Informational
Task: WinsockGai

Description

GetAddrInfoW is completed for queryName NodeName with status Status and result Result.

Message #

GetAddrInfoW is completed for queryName %1 with status %2 and result %3

Fields #

Name	Description
`NodeName` UnicodeString
`Status` UInt32	NTSTATUS reference
`Result` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-NameResolution",
    "guid": "55404E71-4DB9-4DEB-A5F5-8F86E46DDE56",
    "event_source_name": "",
    "event_id": 1001,
    "version": 0,
    "level": 4,
    "task": 1000,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:41.692988+00:00",
    "event_record_id": 18,
    "correlation": {
      "ActivityID": "4EC9235F-7114-46CF-A033-E58E6B97986C"
    },
    "execution": {
      "process_id": 832,
      "thread_id": 3636
    },
    "channel": "Microsoft-Windows-Winsock-NameResolution/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "NodeName": "ludus",
    "Status": 11001,
    "Result": ""
  },
  "message": ""
}

Event ID 1002: GetAddrInfoExW is called for queryName NodeName, serviceName ServiceName, nameSpace NameSpace, nameSpace GUID NameSpaceGuid, flags Flags, family Family, socketType SocketType, protocol protocol, in...

Provider: Microsoft-Windows-Winsock-NameResolution
Channel: Operational
Level: Informational
Task: WinsockGai

Description

GetAddrInfoExW is called for queryName NodeName, serviceName ServiceName, nameSpace NameSpace, nameSpace GUID NameSpaceGuid, flags Flags, family Family, socketType SocketType, protocol protocol, interface index InterfaceIndex, timeOut TimeOutInSec, asyncWithCallBack AsyncWithCallback, asyncWithOverlapped AsyncWithOverlapped and seq Location

Message #

GetAddrInfoExW is called for queryName %1, serviceName %2, nameSpace %4, nameSpace GUID %5, flags %6, family %7, socketType %8, protocol %9, interface index %10, timeOut %11, asyncWithCallBack %12, asyncWithOverlapped %13 and seq %3

Fields #

Name	Description
`NodeName` UnicodeString
`ServiceName` UnicodeString
`Location` UInt32
`NameSpace` UInt32
`NameSpaceGuid` GUID
`Flags` UInt32
`Family` UInt32
`SocketType` UInt32
`protocol` UInt32
`InterfaceIndex` UInt32
`TimeOutInSec` UInt32
`AsyncWithCallback` UInt32
`AsyncWithOverlapped` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-NameResolution",
    "guid": "55404E71-4DB9-4DEB-A5F5-8F86E46DDE56",
    "event_source_name": "",
    "event_id": 1002,
    "version": 0,
    "level": 4,
    "task": 1000,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:57.033434+00:00",
    "event_record_id": 188,
    "correlation": {
      "ActivityID": "30000002-0002-FE00-D015-D40C380D840C"
    },
    "execution": {
      "process_id": 3384,
      "thread_id": 3204
    },
    "channel": "Microsoft-Windows-Winsock-NameResolution/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "NodeName": "us-v20.events.endpoint.security.microsoft.com",
    "ServiceName": "NULL",
    "Location": 226,
    "NameSpace": 12,
    "NameSpaceGuid": "00000000-0000-0000-0000-000000000000",
    "Flags": 131074,
    "Family": 0,
    "SocketType": 1,
    "protocol": 6,
    "InterfaceIndex": 0,
    "TimeOutInSec": 0,
    "AsyncWithCallback": 0,
    "AsyncWithOverlapped": 1
  },
  "message": ""
}

Event ID 1003: GetAddrInfoExW asynchronous query is pending for queryName: NodeName with cancel Handle CancelHandle.

Provider: Microsoft-Windows-Winsock-NameResolution
Channel: Operational
Level: Informational
Task: WinsockGai

Description

GetAddrInfoExW asynchronous query is pending for queryName: NodeName with cancel Handle CancelHandle.

Message #

GetAddrInfoExW asynchronous query is pending for queryName: %1 with cancel Handle %2

Fields #

Name	Description
`NodeName` UnicodeString
`CancelHandle` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-NameResolution",
    "guid": "55404E71-4DB9-4DEB-A5F5-8F86E46DDE56",
    "event_source_name": "",
    "event_id": 1003,
    "version": 0,
    "level": 4,
    "task": 1000,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:57.033473+00:00",
    "event_record_id": 195,
    "correlation": {
      "ActivityID": "30000002-0002-FE00-D015-D40C380D840C"
    },
    "execution": {
      "process_id": 3384,
      "thread_id": 3204
    },
    "channel": "Microsoft-Windows-Winsock-NameResolution/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "NodeName": "us-v20.events.endpoint.security.microsoft.com",
    "CancelHandle": 0
  },
  "message": ""
}

Event ID 1004: GetAddrInfoExW is completed for queryName NodeName with status Status and result Result.

Provider: Microsoft-Windows-Winsock-NameResolution
Channel: Operational
Level: Informational
Task: WinsockGai

Description

GetAddrInfoExW is completed for queryName NodeName with status Status and result Result.

Message #

GetAddrInfoExW is completed for queryName %1 with status %2 and result %3

Fields #

Name	Description
`NodeName` UnicodeString
`Status` UInt32	NTSTATUS reference
`Result` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-NameResolution",
    "guid": "55404E71-4DB9-4DEB-A5F5-8F86E46DDE56",
    "event_source_name": "",
    "event_id": 1004,
    "version": 0,
    "level": 4,
    "task": 1000,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:57.072980+00:00",
    "event_record_id": 206,
    "correlation": {
      "ActivityID": "30000002-0002-FE00-D015-D40C380D840C"
    },
    "execution": {
      "process_id": 3384,
      "thread_id": 3204
    },
    "channel": "Microsoft-Windows-Winsock-NameResolution/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "NodeName": "us-v20.events.endpoint.security.microsoft.com",
    "Status": 0,
    "Result": "20.42.65.85;"
  },
  "message": ""
}

Event ID 1005: GetAddrInfoExCancel is called for query CancelHandle and seq Location.

Provider: Microsoft-Windows-Winsock-NameResolution
Channel: Operational
Task: WinsockGai

Description

GetAddrInfoExCancel is called for query CancelHandle and seq Location.

Message #

GetAddrInfoExCancel is called for  query %1 and seq %2

Fields #

Name	Description
`CancelHandle` UInt64
`Location` UInt32

Event ID 1006: NSPLookupServiceBegin is called for provider ProviderGUID, queryName QueryName, serviceGUID ServiceGUID, interface index InterfaceIndex and control flags ControlFlags.

Provider: Microsoft-Windows-Winsock-NameResolution
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: WinsockGai

Description

NSPLookupServiceBegin is called for provider ProviderGUID, queryName QueryName, serviceGUID ServiceGUID, interface index InterfaceIndex and control flags ControlFlags.

Message #

NSPLookupServiceBegin is called for provider %1, queryName %2, serviceGUID %3, interface index %4 and control flags %5

Fields #

Name	Description
`ProviderGUID` GUID
`QueryName` UnicodeString
`ServiceGUID` GUID
`InterfaceIndex` UInt32
`ControlFlags` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-NameResolution",
    "guid": "55404E71-4DB9-4DEB-A5F5-8F86E46DDE56",
    "event_source_name": "",
    "event_id": 1006,
    "version": 0,
    "level": 4,
    "task": 1000,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:57.033445+00:00",
    "event_record_id": 189,
    "correlation": {
      "ActivityID": "30000002-0002-FE00-D015-D40C380D840C"
    },
    "execution": {
      "process_id": 3384,
      "thread_id": 3204
    },
    "channel": "Microsoft-Windows-Winsock-NameResolution/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ProviderGUID": "22059D40-7E9E-11CF-AE5A-00AA00A7112B",
    "QueryName": "us-v20.events.endpoint.security.microsoft.com",
    "ServiceGUID": "0002A803-0000-0000-C000-000000000046",
    "InterfaceIndex": 0,
    "ControlFlags": 3146000
  },
  "message": ""
}

Event ID 1007: NSPLookupServiceBegin is completed for provider ProviderGUID, queryName QueryName serviceGUID ServiceGUID, interface index InterfaceIndex, control flags ControlFlags and lookup handle LookupHandle ...

Provider: Microsoft-Windows-Winsock-NameResolution
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: WinsockGai

Description

NSPLookupServiceBegin is completed for provider ProviderGUID, queryName QueryName serviceGUID ServiceGUID, interface index InterfaceIndex, control flags ControlFlags and lookup handle LookupHandle with status Status.

Message #

NSPLookupServiceBegin is completed for provider %1, queryName %2 serviceGUID %3, interface index %4, control flags %5 and lookup handle %6 with status %7

Fields #

Name	Description
`ProviderGUID` GUID
`QueryName` UnicodeString
`ServiceGUID` GUID
`InterfaceIndex` UInt32
`ControlFlags` UInt32
`LookupHandle` UInt64
`Status` UInt32	NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-NameResolution",
    "guid": "55404E71-4DB9-4DEB-A5F5-8F86E46DDE56",
    "event_source_name": "",
    "event_id": 1007,
    "version": 0,
    "level": 4,
    "task": 1000,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:57.033450+00:00",
    "event_record_id": 190,
    "correlation": {
      "ActivityID": "30000002-0002-FE00-D015-D40C380D840C"
    },
    "execution": {
      "process_id": 3384,
      "thread_id": 3204
    },
    "channel": "Microsoft-Windows-Winsock-NameResolution/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ProviderGUID": "22059D40-7E9E-11CF-AE5A-00AA00A7112B",
    "QueryName": "us-v20.events.endpoint.security.microsoft.com",
    "ServiceGUID": "0002A803-0000-0000-C000-000000000046",
    "InterfaceIndex": 0,
    "ControlFlags": 3146000,
    "LookupHandle": 1894238103792,
    "Status": 0
  },
  "message": ""
}

Event ID 1008: NSPLookupServiceNext is called for provider ProviderGUID, control Flags ControlFlags and lookup handle LookupHandle.

Provider: Microsoft-Windows-Winsock-NameResolution
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: WinsockGai

Description

NSPLookupServiceNext is called for provider ProviderGUID, control Flags ControlFlags and lookup handle LookupHandle.

Message #

NSPLookupServiceNext is called for provider %1, control Flags %2 and lookup handle %3

Fields #

Name	Description
`ProviderGUID` GUID
`ControlFlags` UInt32
`LookupHandle` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-NameResolution",
    "guid": "55404E71-4DB9-4DEB-A5F5-8F86E46DDE56",
    "event_source_name": "",
    "event_id": 1008,
    "version": 0,
    "level": 4,
    "task": 1000,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:57.033491+00:00",
    "event_record_id": 196,
    "correlation": {
      "ActivityID": "30000002-0002-FE00-D015-D40C380D840C"
    },
    "execution": {
      "process_id": 3384,
      "thread_id": 3204
    },
    "channel": "Microsoft-Windows-Winsock-NameResolution/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ProviderGUID": "22059D40-7E9E-11CF-AE5A-00AA00A7112B",
    "ControlFlags": 0,
    "LookupHandle": 1894238104368
  },
  "message": ""
}

Event ID 1009: NSPLookupServiceNext is completed for provider ProviderGUID, control Flags ControlFlags and lookup Handle LookupHandle with status Status and result Result.

Provider: Microsoft-Windows-Winsock-NameResolution
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: WinsockGai

Description

NSPLookupServiceNext is completed for provider ProviderGUID, control Flags ControlFlags and lookup Handle LookupHandle with status Status and result Result.

Message #

NSPLookupServiceNext is completed for provider %1, control Flags %2 and lookup Handle %3 with status %4 and result %5

Fields #

Name	Description
`ProviderGUID` GUID
`ControlFlags` UInt32
`LookupHandle` UInt64
`Status` UInt32	NTSTATUS reference
`Result` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-NameResolution",
    "guid": "55404E71-4DB9-4DEB-A5F5-8F86E46DDE56",
    "event_source_name": "",
    "event_id": 1009,
    "version": 0,
    "level": 4,
    "task": 1000,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:57.033541+00:00",
    "event_record_id": 198,
    "correlation": {
      "ActivityID": "30000002-0002-FE00-D015-D40C380D840C"
    },
    "execution": {
      "process_id": 3384,
      "thread_id": 7344
    },
    "channel": "Microsoft-Windows-Winsock-NameResolution/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ProviderGUID": "22059D40-7E9E-11CF-AE5A-00AA00A7112B",
    "ControlFlags": 0,
    "LookupHandle": 1894238103792,
    "Status": 11001,
    "Result": ""
  },
  "message": ""
}

Event ID 1010: NSPLookupServiceEnd is called for provider ProviderGUID and lookup handle LookupHandle.

Provider: Microsoft-Windows-Winsock-NameResolution
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: WinsockGai

Description

NSPLookupServiceEnd is called for provider ProviderGUID and lookup handle LookupHandle.

Message #

NSPLookupServiceEnd is called for provider %1 and lookup handle %2

Fields #

Name	Description
`ProviderGUID` GUID
`LookupHandle` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-NameResolution",
    "guid": "55404E71-4DB9-4DEB-A5F5-8F86E46DDE56",
    "event_source_name": "",
    "event_id": 1010,
    "version": 0,
    "level": 4,
    "task": 1000,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:57.033551+00:00",
    "event_record_id": 199,
    "correlation": {
      "ActivityID": "30000002-0002-FE00-D015-D40C380D840C"
    },
    "execution": {
      "process_id": 3384,
      "thread_id": 7344
    },
    "channel": "Microsoft-Windows-Winsock-NameResolution/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ProviderGUID": "22059D40-7E9E-11CF-AE5A-00AA00A7112B",
    "LookupHandle": 1894238103792
  },
  "message": ""
}

Event ID 1011: NSPLookupServiceEnd completed for provider ProviderGUID and lookup handle LookupHandle with status Status.

Provider: Microsoft-Windows-Winsock-NameResolution
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: WinsockGai

Description

NSPLookupServiceEnd completed for provider ProviderGUID and lookup handle LookupHandle with status Status.

Message #

NSPLookupServiceEnd completed for provider %1 and lookup handle %2 with status %3

Fields #

Name	Description
`ProviderGUID` GUID
`LookupHandle` UInt64
`Status` UInt32	NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-NameResolution",
    "guid": "55404E71-4DB9-4DEB-A5F5-8F86E46DDE56",
    "event_source_name": "",
    "event_id": 1011,
    "version": 0,
    "level": 4,
    "task": 1000,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:57.033553+00:00",
    "event_record_id": 200,
    "correlation": {
      "ActivityID": "30000002-0002-FE00-D015-D40C380D840C"
    },
    "execution": {
      "process_id": 3384,
      "thread_id": 7344
    },
    "channel": "Microsoft-Windows-Winsock-NameResolution/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ProviderGUID": "22059D40-7E9E-11CF-AE5A-00AA00A7112B",
    "LookupHandle": 1894238103792,
    "Status": 0
  },
  "message": ""
}

Event ID 1012: GetAddrInfoExW info.

Provider: Microsoft-Windows-Winsock-NameResolution
Channel: Operational
Level: Informational
Task: WinsockGai

Description

GetAddrInfoExW info. queryName NodeName, serviceName ServiceName, nameSpace NameSpace, nameSpace GUID NameSpaceGuid, flags Flags, family Family, socketType SocketType, protocol protocol, interface index InterfaceIndex, timeOut TimeOutInSec, asyncWithCallBack AsyncWithCallback, asyncWithOverlapped AsyncWithOverlapped, error Error and seq Location

Message #

GetAddrInfoExW info.  queryName %1, serviceName %2, nameSpace %4, nameSpace GUID %5, flags %6, family %7, socketType %8, protocol %9, interface index %10, timeOut %11, asyncWithCallBack %12, asyncWithOverlapped %13, error %14 and seq %3

Fields #

Name	Description
`NodeName` UnicodeString
`ServiceName` UnicodeString
`Location` UInt32
`NameSpace` UInt32
`NameSpaceGuid` GUID
`Flags` UInt32
`Family` UInt32
`SocketType` UInt32
`protocol` UInt32
`InterfaceIndex` UInt32
`TimeOutInSec` UInt32
`AsyncWithCallback` UInt32
`AsyncWithOverlapped` UInt32
`Error` Int32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-NameResolution",
    "guid": "55404E71-4DB9-4DEB-A5F5-8F86E46DDE56",
    "event_source_name": "",
    "event_id": 1012,
    "version": 0,
    "level": 4,
    "task": 1000,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:57.033417+00:00",
    "event_record_id": 187,
    "correlation": {
      "ActivityID": "30000002-0002-FE00-D015-D40C380D840C"
    },
    "execution": {
      "process_id": 3384,
      "thread_id": 3204
    },
    "channel": "Microsoft-Windows-Winsock-NameResolution/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "NodeName": "us-v20.events.endpoint.security.microsoft.com",
    "ServiceName": "NULL",
    "Location": 307,
    "NameSpace": 12,
    "NameSpaceGuid": "00000000-0000-0000-0000-000000000000",
    "Flags": 131074,
    "Family": 0,
    "SocketType": 1,
    "protocol": 6,
    "InterfaceIndex": 0,
    "TimeOutInSec": 0,
    "AsyncWithCallback": 0,
    "AsyncWithOverlapped": 1,
    "Error": 0
  },
  "message": ""
}

Event ID 1013: Wsa Startup.

Provider: Microsoft-Windows-Winsock-NameResolution
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: WinsockGai

Description

Wsa Startup. seq: Location.

Message #

Wsa Startup. seq: %1.

Fields #

Name	Description
`Location` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-NameResolution",
    "guid": "55404E71-4DB9-4DEB-A5F5-8F86E46DDE56",
    "event_source_name": "",
    "event_id": 1013,
    "version": 0,
    "level": 4,
    "task": 1000,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:38.230772+00:00",
    "event_record_id": 1,
    "correlation": {
      "ActivityID": "DF92C490-B30B-0005-A2C8-92DF0BB3DC01"
    },
    "execution": {
      "process_id": 6952,
      "thread_id": 6108
    },
    "channel": "Microsoft-Windows-Winsock-NameResolution/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "Location": 101
  },
  "message": ""
}

Event ID 1014: Wsa Cleanup.

Provider: Microsoft-Windows-Winsock-NameResolution
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: WinsockGai

Description

Wsa Cleanup. seq: Location. Refcount: RefCount.

Message #

Wsa Cleanup. seq: %1.  Refcount: %2.

Fields #

Name	Description
`Location` UInt32
`RefCount` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-NameResolution",
    "guid": "55404E71-4DB9-4DEB-A5F5-8F86E46DDE56",
    "event_source_name": "",
    "event_id": 1014,
    "version": 0,
    "level": 4,
    "task": 1000,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:38.230787+00:00",
    "event_record_id": 2,
    "correlation": {
      "ActivityID": "DF92C490-B30B-0005-A2C8-92DF0BB3DC01"
    },
    "execution": {
      "process_id": 6952,
      "thread_id": 6108
    },
    "channel": "Microsoft-Windows-Winsock-NameResolution/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "Location": 201,
    "RefCount": 2
  },
  "message": ""
}

Event ID 1015: NSJOB info.

Provider: Microsoft-Windows-Winsock-NameResolution
Channel: Operational
Task: WinsockGai

Description

NSJOB info. seq Location. Refcount: RefCount.

Message #

NSJOB info.  seq %1.  Refcount: %2.

Fields #

Name	Description
`Location` UInt32
`RefCount` UInt32

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {55404E71-4DB9-4DEB-A5F5-8F86E46DDE56}

Defined in ws2_32.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.2849, captured 2026-06-02
WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.2849, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)